<html>
<head><meta charset="utf-8"><title>crater and lockfiles · t-infra · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/index.html">t-infra</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html">crater and lockfiles</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="208586201"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586201" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586201">(Aug 31 2020 at 16:56)</a>:</h4>
<p>For <a href="http://crate.io">crate.io</a> packages, is it possible that crater is respecting package lockfiles? In analyzing <a href="https://crater-reports.s3.amazonaws.com/pr-71274/index.html">this report</a> I am seeing quite a few crates that use crossbeam-epoch 0.7.1 even though 0.7.2 was already released at the time of the run. In almost all cases, the corresponding crate repository contains a lockfile pinning an old crossbeam-epoch. (In one case I was not able to figure out why old crossbeam-epoch was used.)</p>



<a name="208586413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586413">(Aug 31 2020 at 16:58)</a>:</h4>
<p>shouldn't it respect lockfiles? Otherwise you'd get spurious failures if there was an accidental breaking change in a new release</p>



<a name="208586443"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586443" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586443">(Aug 31 2020 at 16:58)</a>:</h4>
<p>most libraries do not have lockfiles, and most of the time that is not a problem as semver is working fine</p>



<a name="208586481"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586481" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586481">(Aug 31 2020 at 16:59)</a>:</h4>
<p><span aria-label="shrug" class="emoji emoji-1f937" role="img" title="shrug">:shrug:</span> I don't think crater needs to be introducing new failure modes</p>



<a name="208586482"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586482" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586482">(Aug 31 2020 at 16:59)</a>:</h4>
<p>and for crater, such breakage would cause <em>both</em> builds to fail, so -- no problem</p>



<a name="208586537"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586537" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586537">(Aug 31 2020 at 16:59)</a>:</h4>
<p>what's the benefit you expect to see from forcing an upgrade?</p>



<a name="208586549"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586549" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586549">(Aug 31 2020 at 16:59)</a>:</h4>
<p>respecting lockfiles means outdated buggy dependencies get used which can cause regressions that would not happen with the latest semver-compatible dependencies</p>



<a name="208586610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586610">(Aug 31 2020 at 17:00)</a>:</h4>
<p>that seems like <em>more</em> reason to respect the lockfile to me</p>



<a name="208586646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586646">(Aug 31 2020 at 17:00)</a>:</h4>
<p>rustc shouldn't break <em>any</em> code, even if it's not the latest version</p>



<a name="208586654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586654">(Aug 31 2020 at 17:00)</a>:</h4>
<p>not really, no</p>



<a name="208586696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586696">(Aug 31 2020 at 17:00)</a>:</h4>
<p>things like <a href="https://github.com/rust-lang/rust/pull/71274">https://github.com/rust-lang/rust/pull/71274</a> do break code</p>



<a name="208586699"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586699" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586699">(Aug 31 2020 at 17:00)</a>:</h4>
<p>in a way</p>



<a name="208586714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586714">(Aug 31 2020 at 17:00)</a>:</h4>
<p>that code used to be UB but did something, after that PR it panics</p>



<a name="208586790"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586790" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586790">(Aug 31 2020 at 17:01)</a>:</h4>
<p>we use crater for such soundness fixes regularly, and in that case you really want the most up-to-date dependecies of everything being used, as crates also fix soundness holes all the time</p>



<a name="208586863"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208586863" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208586863">(Aug 31 2020 at 17:01)</a>:</h4>
<p>crater using outdated dependencies means that when analyzing regressions (400 this time :(  ), many of them are actually fixed already (by people fixing the UB in their crate) but crater used the old buggy versions so they still show up as regressions</p>



<a name="208587031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587031">(Aug 31 2020 at 17:03)</a>:</h4>
<p>I am also just confused as I thought <a href="http://crates.io">crates.io</a> doesnt store any lockfiles. I mean when I depend on some crate on <a href="http://crates.io">crates.io</a> I do not use its lockfile, and when I <code>cargo install</code> it its lockfile does not get used either.</p>



<a name="208587065"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587065" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587065">(Aug 31 2020 at 17:03)</a>:</h4>
<p>so in that sense, if crater respects lockfiles it misrepresents what people actually using those crates would get</p>



<a name="208587193"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587193" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587193">(Aug 31 2020 at 17:04)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> lockfiles on crates or on github repositories?</p>



<a name="208587526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587526">(Aug 31 2020 at 17:07)</a>:</h4>
<p>It looks like rustwide does cache lockfiles: <a href="https://github.com/rust-lang/rustwide/blob/d873727c9628df117037089c8f82cccf275e54a9/src/prepare.rs#L91-L98">https://github.com/rust-lang/rustwide/blob/d873727c9628df117037089c8f82cccf275e54a9/src/prepare.rs#L91-L98</a></p>



<a name="208587622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587622">(Aug 31 2020 at 17:08)</a>:</h4>
<p>I'd like to second <span class="user-mention" data-user-id="120791">@RalfJ</span> 's request - this is an issue for one of my crater runs as well</p>



<a name="208587675"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587675" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587675">(Aug 31 2020 at 17:09)</a>:</h4>
<p>e.g. this job for a <a href="http://crates.io">crates.io</a> crate says that it re-used the lockfile: <a href="https://crater-reports.s3.amazonaws.com/pr-73084-1/try%2340b20bc1bf55bfe3b99c09c905e596d3e650663c/reg/actix-webfinger-0.3.0-alpha.6/log.txt">https://crater-reports.s3.amazonaws.com/pr-73084-1/try%2340b20bc1bf55bfe3b99c09c905e596d3e650663c/reg/actix-webfinger-0.3.0-alpha.6/log.txt</a></p>



<a name="208587803"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208587803" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208587803">(Aug 31 2020 at 17:10)</a>:</h4>
<p>This will make it difficult for me to make progress on <a href="https://github.com/rust-lang/rust/issues/74616">https://github.com/rust-lang/rust/issues/74616</a>, since I don't know if the failing crates would have otherwise built if they weren't pulling in a old version of proc-macro-hack</p>



<a name="208590736"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208590736" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208590736">(Aug 31 2020 at 17:37)</a>:</h4>
<p><span class="user-mention" data-user-id="121055">@Pietro Albini</span> crates</p>



<a name="208590825"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208590825" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208590825">(Aug 31 2020 at 17:38)</a>:</h4>
<p>can't deal with this right now, sorry!</p>



<a name="208590917"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208590917" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208590917">(Aug 31 2020 at 17:39)</a>:</h4>
<p>sure, it's not super urgent, just general feedback :)</p>



<a name="208633708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208633708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lzutao <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208633708">(Sep 01 2020 at 00:46)</a>:</h4>
<p>if the new crates are release, could we ask the authors to cargo yank the unsound ones ?</p>



<a name="208633730"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208633730" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> lzutao <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208633730">(Sep 01 2020 at 00:47)</a>:</h4>
<p>I was under impression that cargo will updating yanked crate versions.</p>



<a name="208634087"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208634087" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208634087">(Sep 01 2020 at 00:54)</a>:</h4>
<p>Part of the reason for doing the crater run is to prevent ecosystem breakage</p>



<a name="208634108"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208634108" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208634108">(Sep 01 2020 at 00:54)</a>:</h4>
<p>yanking crates would make that breakage happen for everyone, instead of just people using newer versions of rustc</p>



<a name="208634147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208634147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Aaron Hill <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208634147">(Sep 01 2020 at 00:55)</a>:</h4>
<p>Also,  I think the solution for some of the unsoundness requires <code>MaybeUninit</code>, which isn't available in older versions</p>



<a name="208634535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208634535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208634535">(Sep 01 2020 at 01:03)</a>:</h4>
<p>this is what is currently happening with some of the crater runs. If a crate contains unsound code in a version that's still being supported, we are advising the authors to yank the affected versions.</p>



<a name="208652723"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208652723" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208652723">(Sep 01 2020 at 07:29)</a>:</h4>
<p>personally I just ask them to fix and/or update</p>



<a name="208652735"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208652735" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208652735">(Sep 01 2020 at 07:29)</a>:</h4>
<p>basically I consider it "good enough" when, after a <code>cargo update</code>, everything works</p>



<a name="208652745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208652745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208652745">(Sep 01 2020 at 07:29)</a>:</h4>
<p>even with yanking, one still needs to do a <code>cargo update</code> anyway</p>



<a name="208668648"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/242791-t-infra/topic/crater%20and%20lockfiles/near/208668648" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/242791-t-infra/topic/crater.20and.20lockfiles.html#208668648">(Sep 01 2020 at 10:23)</a>:</h4>
<p>I guess I can review a PR adding <code>ignore-lockfiles=true</code> to Crater</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>